• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

UDP Syslog Traffic versus Raw Network Capture

I have a diagram where there is a line of  UDP syslog traffic flowing from a switch to a web security device and another line extending from the switch to a live-human monitoring station.
What is the difference between UDP syslog traffic and raw network traffic?
0
brothertruffle880
Asked:
brothertruffle880
3 Solutions
 
eeRootCommented:
Depends on how the capture tools have been configured.  But generally speaking, syslog servers will show a log of events (alerts, informational, debugging, etc) while monitoring network traffic shows every packet that goes across your network.  Network monitors (such a spanned/mirrored ports or hardware tabs) show much more info, but it can be too much info sometimes.
0
 
btanExec ConsultantCommented:
Log vs packets. The traffic payload details are mostly found in packet or raw traffic while the syslog would have normalised and surface the events depending how device source is configured. Syslog is at max based on rfc 5424 (http://tools.ietf.org/html/rfc5424) at 2048bytes. Packet capture has much larger size storage needed, e.g. it can be est 32 MB file saved every 15 minutes

Specifically the raw syslog data can be substantial depending on typical severity level that is set e.g. level (0 to 7): emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7). The higher the level, the more messages (and types of messages) that are generated.

You tend to pipe the SPAN port of switch which carries the same raw traffic to further analysis such as AV scan, content filter, breach detection system passive inline deployed. in other words with raw packet traffic you can do more but with log you only get what the source wanted you to see. SIEMS  is mostly the reason for having centralised logging of all syslog piped to it.

While there are no strict guidelines pertaining to the log format, most syslog messages are generated in human-readable form with the assumption that capable administrators should be able to read them and understand their meaning.  Note that standard syslog protocol does not have mechanisms to provide confidentiality for the messages in transit. In most cases, passing clear-text messages is a benefit to the operations staff as compared to the raw packets from the wire.  The operations staff may be able to read the messages and associate them with other events seen from other packets crossing the wire to track down and correct problems.
0
 
giltjrCommented:
One way to think of the difference between syslog data and raw network traffic is the difference between a MS Word Document and a file.  

While a MS Word Document and a MS Excel Spread sheet are both files, what make them differnet/unique is the content within the file.  So MS Word document is a subset of "files."

Syslog data is really a subset of "raw network data."

As the others have posted, my guess in your case, the "raw network data" is a result of port mirroring (either using SPAN or RSPAN or something like that) vs. a connection that is setup to send traffic to a syslog server.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now